Fog Creek Software
Discussion Board




Source code for Half Life 2 stolen!


Saw this @ www.evilavatar.com, but I think it's been Slashdotted by now as well.

Apparently, the thieves got in via the CEO's Outlook.

It also looks like source for licenced tools (the Havok engine) was also stolen, which is a significant legal issue.

The theft occured about a month ago, which likely explains the recent slippage in the game's release date.

I feel for them. On the other hand, my buddy and I were having a lot of fun playing with scenarios like:

"$5 million big ones or you never see the source code again"

or

"Send us money or we'll ship the code back to you one subroutine at a time"

anon
Friday, October 03, 2003

So the source code was stored on a server connected to an Internet facing network/machine?

John Topley (www.johntopley.com)
Friday, October 03, 2003

Proprietary software is their bread and butter, so I would have figured a company like Valve would have isolated development departments from each other wth firewall policies. But I guess if the CEO is also a coder, that kinda messes things up for the firewall policies.

Li-fan Chen
Friday, October 03, 2003

From what I've read, they didn't actually lose the source code. A copy is out in the wild. They still have their own copies of the source code.

And this just goes to show why any firewall policy that assumes "things from inside are inherently safe" is a bad policy. They trojan'd in, and were able to get back out, rather than having to break in.

If Microsoft doesn't think stuff like this is ultra-bad news for Outlook and Exchange, they're high on crack.

Brad Wilson (dotnetguy.techieswithcats.com)
Friday, October 03, 2003

[So the source code was stored on a server connected to an Internet facing network/machine? ]

I'm not totally clear on the circumstances there. The CEO mentioned that a keystroke capture tool was installed on his machine by the hackers, so perhaps they got access to the machine with the source code this way.

You wouldn't have to steal it from the server, would you? I mean, any developer could have a local, check out copy of parts, if not all of the source code. The developers machines would almost certainly have Internet access.

anon
Friday, October 03, 2003

According to the write up at http://www.arstechnica.com , a buffer overflow in outlook was used to install a trojan on a developer's machine.  Not sure whether they then logged passwords or what, but that's how they got their foot in the door.

Brian
Friday, October 03, 2003

According to a posting on a Half-Life fan site from the Valve CEO (Gabe Newell) his own machine was the one compromised, and it was done via a buffer-overflow exploit in the Outlook preview pane.  #1 reason not to enable the preview pane option in Outlook.

Apparently it was a one-off piece of code that was used to gain control of his machine, hence the virus scanners weren't picking it up, as the thing wasn't sent to anyone else and thus wasn't running around in the wild.

I'm with you guys though - having critical code on a network exposed to the outside world seems like a very bad idea.

Mitch & Murray (from downtown)
Friday, October 03, 2003

The major problem here is that major virus fighters are ignoring some pretty major "legitimate" covert keystroke capturing softwares out in the wild. I guess the whole logic was that as long as the use is legit it's better to have employee or spousal monitoring that was less obvious (and more convenient) than a hardware keystroke capturing program than not having one.

Li-fan Chen
Friday, October 03, 2003

Flashbacks to antitrust. . .

I can just see it now, companies using their own backdoors to steal code. . .

...
Friday, October 03, 2003

So...does this mean that we can expect to see the game sooner, cuz I just bought an ATI Radeon 9800 Pro and I'm just itching to see HF2 on it! 

:')

Mark Hoffman
Friday, October 03, 2003

>>I'm with you guys though - having critical code on a network exposed to the outside world seems like a very bad idea.

Do you practice what you preach?  Does the machine you're posting these messages from really not have any important source code on it?  I'll tell you right now...  I'm browsing here because I'm waiting for a long compile to finish.

Brian
Friday, October 03, 2003

There's definitely a few way you can be at your machine and still see two security levels in front of you--isolated from one another. For example you can use terminal services to log into another machine just for surfing. That machine would be in a firewalled off place while your developer box keeps compiling.

Li-fan Chen
Friday, October 03, 2003

Also you can run VMWare pre harden by a knowledgible admin to only allow traffic over a VPN to a less secure network. If the VMWare box is subverted there should be an alarm though, unless you can firewall off the VMWare from the physical network in a way that still allows VPN traffic.

Li-fan Chen
Friday, October 03, 2003

I'm curious to know how many developers here have their development machines completely isolated from the Internet.

Anyone?

Alex
Friday, October 03, 2003

my dev box is my web surfing box, both at home and at work.  i'm pretty sure my boss would laugh at me if i asked for another box just for web surfing.

nathan
Friday, October 03, 2003

I got two. One dev box and then a cheap MiniITX 800mhz box that I use for surfing and mail and stuff.

Eric DeBois
Friday, October 03, 2003

I know many people have seperate boxes so that they can do other things while the computer is crunching and compiling.  But I'm wondering how many people have _completely_ seperate development and "non-development" networks.

I sure don't.

Alex
Friday, October 03, 2003

KVM Switch = $25

El Cheapo Dell box for email and web access = $399

Development systems off the 'net = Priceless


Been hacked once, don't need that again.  What do you bet after this Half-Life fiasco the "development systems and server off the net" philosophy gains real traction?

Seems like I read somewhere that id was broken into once or twice as well.  High profile targets are going to require pretty drastic measures to stay secure anymore, I think.

Not much different than someplace like the CIA when you think about it.  This is the kind of thing the Spook Shops do, have been doing for years.

Mitch & Murray (from downtown)
Friday, October 03, 2003

> KVM Switch = $25

Last time I looked they were closer to $100.... I'd buy one for $25, it would save me having to switch my monitor cable when I want to do something that VNC can't handle.

Mark T A W .com
Friday, October 03, 2003

Hello Mark:

Go to provantage.com and search on "kvm".

25 yankee dollars or so will buy you a 2 system KVM switch, all cables included.  Maybe $30 tops.  IOGear and D-Link both sell KVM switches in this price range I believe.

Not so many years ago you had to spend $100 on a two system switch _plus_ you had to buy all the trick cables, whcih ran at least another $100.  Not anymore.

Mitch & Murray (from downtown)
Friday, October 03, 2003

Well keep in mind that it is more than just getting a kvm and a cheapo second computer for most people.  There needs to be an entire second network set up for the dev machines.  And you're assuming that you never ever want your dev machine to have outside access, which is not necessarily a very good assumption.

Mike McNertney
Friday, October 03, 2003

Guys, I am amazed on how you believe in firewalls. You cannot solve the problem with unsecure systems with firewalls. Just think, the code was stolen through Outlook, how you can prevent that kind of things with a firewall. You cant. The fact of the matter is that the security is complex issue and installing firewalls just would lure you into false believe of security.

Passater
Friday, October 03, 2003

Mark:
http://www.pricegrabber.com/search_getprod.php/masterid=637317/search=kvm/ut=4463a72f6b22f084
KVM w/ cables for around $30.

nathan
Friday, October 03, 2003

"There needs to be an entire second network set up for the dev machines. "

Yes, you are right.  There I go again.  Add this to my last BOG:

>>> 100 mb/sec switch = $60

I can see where the costs for the cable and network switch for that second "invisible to the 'net network" are going to blow my whole idea out of the water.

Yes, you are right, whatever you do, don't do this.

Mitch & Murray (from downtown)
Friday, October 03, 2003

I've never worked anywhere that kept dev systems off the net. If we were going to carry that idea to its logical conclusion, we should really keep all of our systems off the net (stealing the business plan might actually be worse than stealing the source code).

As for getting hacked via the Outlook preview pane, you can configure Exchange to forbid executable attachments and that solves a lot of problems. Taking machines off the net seems like a pretty drastic solution.

Beth
Saturday, October 04, 2003

I second Passator, it's not just firewall.
All communication to development machines (should they still have net access, or fire share).. should be reevaluated.

Ability for developers to install their own software will also have to be a serious concern. There are too many software that comes with crap on them now days and that don't help (while we can be sure big companies can keep viruses and worms and snooping software out of final distrio binaries, the same can't be said for overworked mom and pop programming tool shops)

Li-fan Chen
Saturday, October 04, 2003

I'm not exactly sure how the Outlook bug works, but you have to be pretty damn stupid to open email attachments that you know nothing about.

It's really hillarious if you think about it.  People go around blaming Microsoft for anything and everything and yet they see fit to go surf the Internet and look at pornography and submit there email address to all kinds of gimmicks.  How stupid can people really be...  Apparently I have greatly over-estimated most peoples intelligence.

Script Kiddie (In the Basement)
Saturday, October 04, 2003

The bug is an overflow in the preview pane. Merely looking at the e-mail message is enough to get infected. You don't have to run anything.

Ditto a bug that's as yet unpatched for IE. Merely visiting a website with the bad code on it will cause you to become infected.

Brad Wilson (dotnetguy.techieswithcats.com)
Saturday, October 04, 2003

Our development machines have no net connection, but then we're an MoD company, and I think that's a requirement if you want to be approved by the MoD...

It's a pain in the ass sometimes - rather than just cutting and pasting an emacs script or whatever off of the web, I'd have to retype it, or put it on a disk & transfer it over to my secure machine.  But something like this makes you realise it's probably justified...

Jon
Saturday, October 04, 2003

Ok, I do understand that exploiting a buffer overflow in the CEO's Outlook compromises his machine. Bad luck. But it's absolutely beyond my imagination how the hacker could then (1) step into their software maintenance system (CVS?), (2) silently find the correct repository (which means (3) there was a semi- or true remote connection to the CEO's machine _from_outside_), (4) crunch the whole project to be (5) transferred over the internet (or was it (5b) sent through Outlook?)

Not to mention (3b) obtaining the proper access rights from the CEO's machine to access that repositoy.

Yes, I know, the hacker(s) used keyloggers. But how comes the CEO has access to that repository? I guess with all the marketing efforts (a.ka. community building) the CEO has to keep track of other things than LOC.

So I guess there's more to this than a simple exploit in Outlook and a physical connection between a CEO's machine and the development department.

Johnny Bravo
Saturday, October 04, 2003

call it trust.
or call it the hard shell security model.

why *shouldn't* the CEO be given access to the code? who wants to manage the complexity of assigining ACLs to every resource in the company?

it looks like someone found a way to exploit this here. either took some inside knowledge, or they listened for a while (wait for status mail which says "we checked the new cool features into :server:blah:/file/here.c", then you know where to look next).

mb
Saturday, October 04, 2003

> The bug is an overflow in the preview pane. Merely looking at the e-mail message is enough to get infected. You don't have to run anything. Ditto a bug that's as yet unpatched for IE. Merely visiting a website with the bad code on it will cause you to become infected.

This is not correct. Outlook should be configured to be in the Restricted Sites zone, in which case javascript will usually be disabled. That completely removes this vulnerability. What's more, this has been the default setting for Outlook for a couple of years.

On another subject, I would say the source code was pinched from a public server and the URL and logon details pinched from email messages. A guy like the CEO would be always accessing stuff from outside the office.


Saturday, October 04, 2003

"This is not correct. Outlook should be configured to be in the Restricted Sites zone, in which case javascript will usually be disabled. That completely removes this vulnerability. What's more, this has been the default setting for Outlook for a couple of years."

Except that it IS correct. Not everybody patched. Not everybody is running Outlook 2003. The fact of the matter is, this bug is still out in the wild, because there are people on old versions of Outlook that haven't adjusted their security settings.

Brad Wilson (dotnetguy.techieswithcats.com)
Sunday, October 05, 2003

I thought it was a customized for this company buffer overflow worm exploit, not some javascript issue. If so, disabling javascript wouldn't help.

It's a video game company. Of course the CEO is a coder as well -- he is usually the one that wrote the game's engine. So why shouldn't he have access to CVS? Joel is CEO and he has access to CVS I am sure.

Dennis Atkins
Sunday, October 05, 2003

I have no idea why anyone is still using Outlook.

Around the middle of the '90s Microsoft anounced they were going to merge IE with the desktop. Then they described how all these different programs would all be able to have the new look-and-feel, and the Microsoft HTML control would handle everything.

A little while after that, I banned Outlook and IE on our LAN.

Then, something utterly inconceivable happened.

A bit of background: back in the '80s we used to joke about email viruses that would activate without you having to save and run a program. It was called the "Good Times" virus, and every time someone sent out a new "Good Times" virus hoax, it got more and more ridiculous. When someone came up with a virus that you couldn't delete because it would infect your computer when you *selected it*, we thought they'd gone too far. Nobody would write a mail program that could do that!

Microsoft did. Melissa and her descendents showed up, and I looked pretty good around work. While the rest of the company was running around patching Outlook, we just kept working.

Microsoft's in a race against itself now. Because their software defaults "open", one part of the company is coming up with new avenues a virus can exploit while another part is trying to find and patch all the holes viruses are using. And they show no sign that they're going to change that.

For the love of god, people, why do you keep using Outlook and IE and the rest?

NT is a nice solid desktop OS, and the Window UI is still a pretty damn good one, easily usable with mouse or keyboard. But the part of the company that's responsible for IE and Outlook needs to be walled up behind concrete until they rip the data access code out of the heart of the HTML display module, so it can't get to ANYTHING or do ANYTHING except display what's passed to it by the application.

Until that happens, I'm staying as far away from Outlook, IE, Windows Media Player, and related applications as I can.

Peter da Silva
Sunday, October 05, 2003

This just in. Looks like they've traced the mode of entry to a vulnerability in IE:

http://www.eweek.com/article2/0,4149,1307532,00.asp

"October 3, 2003     
Security experts are blaming known but unpatched vulnerabilities in Microsoft Corp.'s Internet Explorer for the theft and distribution of the source code for a much anticipated new video game.
...The theft of the code, which was made available for download on the Net, came after a monthlong concerted effort by hackers to infiltrate Valve's network. Malicious activity in the Valve network included denial-of-service attacks, suspicious e-mail activity and the installation of keystroke loggers, Newell added.
...[Microsoft] was also stung by a recent report arguing that the dominance of Windows is a hindrance to computing security."

Interesting. If I recall correctly, many on this very board said that that report saying MS products lead to security problems was just a bunch of lies.

Is it worth risking your life's work to use MS products? Something we all should be asking.

Dennis Atkins
Monday, October 06, 2003

"The theft of the code, which was made available for download on the Net, came after a monthlong concerted effort by hackers to infiltrate Valve's network"

I think someone at Valve should have seen this coming and taken the source code off of internet exposed systems. Seriously.

I am merrily surfing with a computer that has my source code on it, but this code is pretty worthless to anyone (in-house database stuff for a water cooler company - hardly cool or sexy ;-) so I'm not very concerned. But if I was a game developer, especially such a hit-before-launch game, and would see attempts to crack my network, I'd put up an internal network that has no outside connections and keep the development work there.

Better safe than sorry, if you allow the usage of worn out sayings.

Antti Kurenniemi
Monday, October 06, 2003

"Is it worth risking your life's work to use MS products? Something we all should be asking. "

We could also be asking how, exactly, one would develop a Windows application without using them...

Philo

Philo
Monday, October 06, 2003

You try cutting the internet connection of thirty games developers and see how long you last.

Mr Jack
Monday, October 06, 2003

"Is it worth risking your life's work to use MS products? Something we all should be asking."

So what alternative do you recommend Dennis? No obvious one springs to mind. Since this was a concerted effort on a tactical invasion, the traditional "I run something less popular so maybe the script kiddies will not notice me standing naked in the bush" tactic would be useless.

Just me (Sir to you)
Monday, October 06, 2003

Hey y'all: I'm a gamer who happens to be a law student as well.  I played and loved HalfLife, and the theft of this code has prompted me to write an article for my school's law review.

I was wondering if you have any thoughts as to how to reconcile the fact that CounterStrike was really what made HalfLife the huge commercial success that it was and the issue that that mod wouldn't have been developed w/out individual programmers efforts.  I guess I want to figure out and discuss how the original product deserves protection to encourage Valve to keep creating great games, but also address the point that the game itself can be but a starting point toward a much more commercially successful version.

any thoughts?  By the way, law school is no fun, and i should mention that if i use your posting, I will footnote you for publishing.

cheers

Alex Barton
Wednesday, October 15, 2003

*  Recent Topics

*  Fog Creek Home